Angular CSP error ('unsafe-eval')

Add-ons Development
#1

Hello! Our extension is based on Angular 10.2.0. It doesn’t have eval() in source code and prod build bundle. But when we install the extension in Firefox, we got an error in console for background script (background-script.js:5876:20):

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

image
image942×397 51.9 KB

Also the same error in console for main-es2015.js

image
image847×43 5.87 KB

Besides these two errors the app works correctly.
In this case, can we add ‘unsafe-eval’ to content_security_policy in manifest.json to avoid the error and submit the extension to add-on store?

Or how we can avoid these errors and successfully submit the extension to add-on store?

#2

new Function('<code here>') is a form of eval. If it works fine right now, I’d just try to avoid using the parts of the code that do this kind of eval if it’s in a library.

Adding unsafe-eval to the CSP is almost never an option.

#3

We’ve tried to upload Angular project created from scratch to Add-on validator. As result we got the same CSP in “script-src” warnings in pure project.
Looks like Angular adds eval functions during compilation by Webpack.